CyberheistNews Vol 6 #8 [ALERT] It's Here. New Ransomware Hidden In Infected Word Files

It was only a matter of time, but some miscreant finally did it. There is a new ransomware strain somewhat amateurishly called "Locky", but this is professional grade malware. The major headache is that this flavor starts out with a Microsoft Word attachment which has malicious macros in it, making it hard to filter out.

Over 400,000 workstations were infected in just a few hours, data from Palo Alto Networks shows. Antivirus engines are being updated to catch it but many of them took a day or so.

The bad guys use social engineering twice to trick the user first into opening the attachment, and then to enable the macros in the Word file. The malicious code itself was written in Office VBA, and closely mimics Dridex Banking Trojan infections, suggesting it is the same cybermafia behind it.

Once an employee enables the macros, the macros will download an executable from a remote server and execute it. The file that is downloaded by the macro will be stored in the %Temp% folder and executed. This executable is the Locky ransomware that when started will begin to encrypt the files on the workstation, then both mapped and unmapped network drives.

What To Do About It

At this time, there is no known way to decrypt files encrypted by Locky. At the KnowBe4 blog, we have a lot more links and information, showing all the points of failure that would allow Locky to get into your systems, and also a little-known way to disable macros network-wide to prevent malicious code like this to encrypt your files.

Learn how to keep this nasty out now:
https://blog.knowbe4.com/its-here.-new-ransomware-hidden-in-infected-word-files

Netflix’s popularity continues to grow fast, and they recently launched their streaming service globally. Obviously that makes them a hacker target. At the moment, there are active malware and phishing campaigns targeting Netflix users. The operations are fairly sophisticated, so it is likely this is the work of an Eastern European cybermafia.

Some of the campaigns are dropping actual malware on the box, others phish for the user's login and/or payment information and sell these on the dark web. All of the campaigns start with some form of social engineering.

In the case of malware, users infect their machine at the moment where they are tricked into acting on a fake ad for a cheaper version of Netflix. Once installed, the malware poses as Netflix and compromises the system with a Trojan.

Symantec researchers wrote about one good example of credentials-phishing that targets Danish Netflix users. A fake email tried to trick them into updating their account due to a payment issue, mistakenly sending their bank details directly into the hands of cyber scammers.

I suggest you send the following to your employees, friends and family: "Cybercriminals are targeting Netflix users with several scams you need to watch out for. Some of these scams claim you need to update your payment information, and others try to trick you into downloading software for a cheaper version of Netflix. Do not fall victim for any of these tricks.

"Only download Netflix software from the Netflix website or official app stores, and always go to these websites yourself instead of clicking on a link in an email. Also, if you receive an email that looks like it is from Netflix, and claim you need to update payment information, do not click on any links or open any attachments. Go to the Netflix website yourself using your browser and check your account. Call their customer service if you want to be 100% sure, using the 800 number you found on their website."

For KnowBe4 customers, send your users a phishing security test to inoculate them against Netflix scams. You can find the template in Phishing -> Email Templates -> System Templates -> Current Events -> "Netflix Alerts: Your payment was declined". This template has a difficulty rating of 4 out of 5.

Let's stay safe out there.

Robert Lemos of eWEEK interviewed Angela Knox, senior director of engineering and threat research for Cloudmark related to their new Feb 11 security threat report.

"While the stereotypical phishing attack may be grammatically challenged, the popular attack method continues to be effective, according to Cloudmark's report.

While phishing attacks have a reputation for being poorly written and fairly obvious in their attempts to con users, the attacks continue to be a problem for most companies, according to the report.

Ninety-one percent of companies encountered phishing attacks in 2015, with the lion's share —84 percent— of companies claiming attacks successfully snuck past their security defenses, according to a survey of 300 U.S. and UK firms conducted as part of the report.

A relatively simple attack—sending a message to the accounting department purportedly from the company CEO—has become quite popular, with 63 percent of companies having encountered the tactic.

"Even though companies are taking actions, it is still one of the easiest ways in," Angela Knox, senior director of engineering and threat research for Cloudmark, told eWEEK. "It is much easier for someone to hack a human by going through email than to attempt to find a zero day."

Up to that point I was all in agreement, and then she went sideways and came out with a statement that had my mouth hang open in disbelief: "Training is the stop-gap measure that you use if the technology is not providing you defenses you can rely on," she said. "If the technology is protecting you, you don't need training."

Oh, really?

Well, let me answer with a quote of Bruce Schneier: "If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology." He also constantly makes the point that "Security is a process, not a product. No system is perfect; no technology is ‘The Answer’."

Technology is mostly reactive and usually runs days behind after new attacks. Look at the fresh Locky ransomware attack: 400,000 infections in just a few hours sailing through all the existing defenses by social engineering end-users.

Effective security awareness training is a must these days. Here is the story in eWEEK. Leave a comment and tell them if you agree or not?
http://www.eweek.com/security/phishing-attacks-continue-to-sneak-past-defenses.html

"Everything I've learned the hard way was based on a statistically invalid sample."
- Jay Davis

"We are not human beings having a spiritual experience. We are spiritual beings having a human experience."- Pierre Teilhard de Chardin

Thanks for reading CyberheistNews

Going to RSA in San Francisco this year? Stop by KnowBe4’s Booth 3024, North Hall

• Mitnick Monday! Meet Kevin Mitnick, KnowBe4's Chief Hacking Officer Monday, February 29, 5-7 PM at KnowBe4’s Booth.

• Also, EVERYONE will receive a real Kevin Mitnick collectible stainless steel lock-pick business card all week long.

• See a demo of the innovative Kevin Mitnick Security Awareness Training Platform to train and phish your users.
  
  
• Be entered to win an awesome Drone.

PS, Don't have your pass yet? We've got you covered. Use code XEKNWBE416 to register for your complimentary Exhibit Hall Only Pass. Hurry, the code expires February 26.
http://www.rsaconference.com/events/us16/register

See you in San Francisco!

Stu Sjouwerman,
CEO KnowBe4, Inc

Steve Morgan, Contributor to Forbes Magazine wrote about the Locky ransomware and covered the recent shutdown of a U.S. hospital systems along with equipment used to treat cancer patients.

Hollywood Presbyterian Medical Center in Los Angeles, Calif. declared an internal emergency earlier this month when the hospital had its computer systems cyber attacked and held ransom by hackers, according to an NBC News report.

This is a great article to send to management if you need budget approval for security awareness training. Morgan mentions KnowBe4 as a vendor:
http://www.forbes.com/sites/stevemorgan/2016/02/18/word-doc-can-shutdown-u-s-hospital-computers-and-cancer-treatment-equipment/#4ef090975141

Danielle Correa at SC Magazine wrote: "A Bitdefender global study with respondents from the UK, the US, France, Germany, Denmark and Romania was conducted by iSense Solutions to discover what motivates victims to pay ransoms and how much they value their data.

The study revealed that half of users cannot identify ransomware as a type of threat that prevents or limits access to computer data. Personal documents were the top priority for users to recover.

US users are the most sought-after targets for spam emails with 61.8 percent of all email distributed malware files containing some form of ransomware while the UK had 54.5 percent containing ransomware. More:
https://blog.knowbe4.com/44-of-ransomware-victims-in-the-uk-have-paid-to-recover-their-data

Subscriber Jim sent me this: "This morning, had mail from an unknown.. with an attachment (go figure, right!). It had an extension that I wasn't familiar with, so being the curious person I am I looked it up. The extension on the attached document was .DOCM.

Info from a couple different locations: first the definition of what a "docm" type document is.. "DOCM uses Extensible Markup Lanugage, or XML, for better security, smaller file sizes and improved data recovery for your business documents. The "M" in the file extension means the Word document contains programming elements, called macros; this contrasts with DOCX format, which does not contain macros."

Something you might note with that description is the -macros- part. From the security items that have been floating into the mailbox lately, that's yet another version of an attack.

From the Office website, a listing of various extensions that are in play with Office:
https://support.office.com/en-us/article/Introduction-to-new-file-name-extensions-eca81dcb-5626-4e5b-8362-524d13ae4ec1

As always, if you're not familiar with the sender, or even if you ARE familiar with the sender, check with that person to verify they did indeed (or did NOT) send you mail with an attachment.

• Earth is not revolving around the Sun - at least not the way you may think!
  http://www.flixxy.com/solar-systems-motion-through-space.htm?utm_source=4

• NASA explains how to get to Mars in a few days at 30% lightspeed. Exciting tech!
  http://www.youtube.com/watch?v=WCDuAiA6kX0&sns=em

• Richard Hammond of Top Gear flies on top of an aerobatic bi-plane while it performs some wild aerial maneuvers. That looks like FUN! I want to do that:
  http://www.flixxy.com/top-gears-richard-hammond-flies-on-top-of-a-biplane.htm?utm_source=4

• It doesn't happen often, but if you're on that one-in-a-million flight where a passenger needs to go in the cockpit and land the plane, this is how you do it. Fascinating!
  http://www.flixxy.com/everything-you-need-to-know-to-land-a-737.htm?utm_source=4

• Not only can illusionist Darcy make doves appear out of nowhere, he also has an even bigger trick up his sleeve. The guy is really good:
  http://www.flixxy.com/darcy-oakes-jaw-dropping-dove-illusions-britains-got-talent-2014.htm?utm_source=4

• Take a fascinating tour through ancient Rome 1,700 years ago and see what it was like to live there in 320 AD. Great for a short lunch break:
  http://www.flixxy.com/a-tour-through-ancient-rome.htm?utm_source=4

• Tesla shootout: Can the Model X outrun the Model S? This is fun:
  http://autoweek.com/article/car-news/tesla-shootout-can-model-x-outrun-model-s

• One Minute Time Machine. Classic. Love this one:
  https://www.youtube.com/watch?v=vBkBS4O3yvY

• Watch this mesmerizing footage of over 1,000 sheep being herded in the middle of the North Island of New Zealand:
  http://www.flixxy.com/amazing-aerial-footage-of-sheep-herding-in-new-zealand.htm?utm_source=4

• Kevin Mitnick, "white hat" hacker and KnowBe4 Chief Hacking Officer, thinks Apple shouldn't create special firmware that would compromise the security, and therefore privacy, of iPhone users:
  http://money.cnn.com/video/technology/2016/02/18/apple-privacy-security-kevin-mitnick.cnnmoney/index.html

• How to get more security budget. Forward this to your CISO. LOL:
  http://www.positiveatheism.org/crt/pin.htm